Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: "Forgot Password" function
From: "Kevin Spett" <kspett () spidynamics com>
Date: Sun, 20 Oct 2002 21:19:39 -0400

The simple solution to this problem is to actually generate a new
password for the user and email them that instead and force them to
change it on the first login. That achieves a few security goals:

This does nothing to defend against the scenario I wrote about earlier in
this thread.  You can read it here:
http://archives.neohapsis.com/archives/sf/www-mobile/2002-q4/0020.html

To reiterate, unencrypted email offers no garauntee of privacy or
authenticity.

Kevin Spett
SPI Labs
http://www.spidynamics.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]